📄 lesson815.htm
字号:
<html>
<head>
<title>看雪学苑</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
.p8 { font-size: 8pt}
.p9 { font-size: 9pt}
a:hover { color: #00FF00}
a { text-decoration: none}
.p12 { font-size: 12pt; font-weight: bold; color: #FF3333}
-->
</style>
</head>
<body bgcolor="#FFFFFF" vlink="#0033CC">
<table width="80%" border="1" cellspacing="0" cellpadding="0" align="center" bgcolor="#99CCFF" bordercolorlight="#99CCFF" bordercolordark="#99CCFF">
<tr>
<td width="72%" class="p9"><a href="javascript:if(confirm('http://toye.yeah.net/ \n\n这个文件不能通过 Teleport Pro 取回, 因为 它被访问于一个域或在它的起始地址边界外部的路径上. \n\n你想从服务器打开它吗?'))window.location='http://toye.yeah.net/'" tppabs="http://toye.yeah.net/">看雪教学</a></td>
<td width="10%" class="p9"> </td>
<td width="10%"><a href="index.htm" tppabs="http://toye.dihou.org/index.htm" class="p9">返回<br>
首页 <br>
</a></td>
<td width="8%"><a href="molu.htm" tppabs="http://toye.dihou.org/molu.htm" class="p9">返回<br>
目录 </a></td>
</tr>
</table>
<table width="80%" cellspacing="0" cellpadding="0" align="center" bordercolorlight="#99CCFF" bordercolordark="#99CCFF">
<tr bgcolor="#E1F1F1">
<td>
<table width="100%" cellspacing="0" cellpadding="0">
<tr bgcolor="#FFFF33">
<td>
<div align="center" class="p12">第八课 静态反汇编</div>
</td>
</tr>
</table>
</td>
</tr>
</table>
<table width="80%" cellspacing="0" align="center">
<tr bgcolor="#CCFFFF" class="p9">
<td width="20%" bgcolor="#CCFFFF">
<div align="center"><a href="lesson811.htm" tppabs="http://toye.dihou.org/lesson811.htm">W32Dasm简介</a></div>
</td>
<td width="20%" bgcolor="#CCFFFF">
<div align="center"><a href="lesson812.htm" tppabs="http://toye.dihou.org/lesson812.htm">HIEW使用说明</a></div>
</td>
<td width="20%" bgcolor="#CCFFFF">
<div align="center"><a href="lesson813.htm" tppabs="http://toye.dihou.org/lesson813.htm">IDA使用手册</a></div>
</td>
<td width="20%" bgcolor="#CCFFFF">
<div align="center"><a href="lesson814.htm" tppabs="http://toye.dihou.org/lesson814.htm">折解教程</a></div>
</td>
<td width="20%" bgcolor="#FFFFFF">
<div align="center">习题</div>
</td>
</tr>
</table>
<p class="p9" align="left"><span class="p9">注:本节是以第五课的习题为例;要求使用的工具是W32DASM。</span></p>
<p class="p9" align="left"><span class="p9">1、习题一 <a href="javascript:if(confirm('http://toye.dihou.org/exercise/lesson5-ex-1.zip \n\n这个文件不能通过 Teleport Pro 取回, 因为 没有遇到方案的文件类型说明. \n\n你想从服务器打开它吗?'))window.location='http://toye.dihou.org/exercise/lesson5-ex-1.zip'" tppabs="http://toye.dihou.org/exercise/lesson5-ex-1.zip">lesson5-ex-1.zip</a>
</span></p>
<p align="left" class="p9">2、习题二 <a href="javascript:if(confirm('http://toye.dihou.org/exercise/lesson5-ex-2.zip \n\n这个文件不能通过 Teleport Pro 取回, 因为 没有遇到方案的文件类型说明. \n\n你想从服务器打开它吗?'))window.location='http://toye.dihou.org/exercise/lesson5-ex-2.zip'" tppabs="http://toye.dihou.org/exercise/lesson5-ex-2.zip">lesson5-ex-2.zip</a>
</p>
<p align="left" class="p9"> <span class="p9">
<script language="JavaScript1.2">
NS4 = (document.layers) ? 1 : 0;
IE4 = (document.all) ? 1 : 0;
ver4 = (NS4 || IE4) ? 1 : 0;
if (ver4) {
with (document) {
write("<STYLE TYPE='text/css'>");
if (NS4) {
write(".parent {position:absolute; visibility:visible}");
write(".child {position:absolute; visibility:visible}");
write(".regular {position:absolute; visibility:visible}")
}
else {
write(".child {display:none}")
}
write("</STYLE>");
}
}
function getIndex(el) {
ind = null;
for (i=0; i<document.layers.length; i++) {
whichEl = document.layers[i];
if (whichEl.id == el) {
ind = i;
break;
}
}
return ind;
}
function arrange() {
nextY = document.layers[firstInd].pageY +document.layers[firstInd].document.height;
for (i=firstInd+1; i<document.layers.length; i++) {
whichEl = document.layers[i];
if (whichEl.visibility != "hide") {
whichEl.pageY = nextY;
nextY += whichEl.document.height;
}
}
}
function initIt(){
if (!ver4) return;
if (NS4) {
for (i=0; i<document.layers.length; i++) {
whichEl = document.layers[i];
if (whichEl.id.indexOf("Child") != -1) whichEl.visibility = "hide";
}
arrange();
}
else {
divColl = document.all.tags("DIV");
for (i=0; i<divColl.length; i++) {
whichEl = divColl(i);
if (whichEl.className == "child") whichEl.style.display = "none";
}
}
}
function expandIt(el) {
if (!ver4) return;
if (IE4) {
whichEl = eval(el + "Child");
if (whichEl.style.display == "none") {
whichEl.style.display = "block";
}
else {
whichEl.style.display = "none";
}
}
else {
whichEl = eval("document." + el + "Child");
if (whichEl.visibility == "hide") {
whichEl.visibility = "show";
}
else {
whichEl.visibility = "hide";
}
arrange();
}
}
onload = initIt;
</script>
</span></p>
<div id="KB1Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB1'); return false">
1、习题一答案</a> </span></div>
<div id="KB1Child" class="child"> <span class="p9"> </span>
<table width="100%" cellspacing="0" align="center">
<tr bgcolor="#EFEFEF">
<td>
<p class="p9">1、工具:W32DASM;</p>
<p class="p9">2、运行crackme,输入假序列号,点击CHECK,出现出错对话框,信息提示"One of the Details
you entered was wrong";</p>
<p class="p9">3、离开程序,备份一份,用W32DASM打开crackme反汇编;</p>
<p class="p9">4、一旦完成反汇编 , 点<b><i>串式数据参考(string data reference)</i></b>按钮
, 在列出的字符串列表中找到:"One of the Details you entered"并双击它;注意:少了两个单词was
wrong,这是字串太长,分行了。</p>
<p class="p9">5、关闭这个窗口回到主窗口 , 你应该能够看到下面这一行 : </p>
<p class="p9">:0040150C E833030000
Call 00401844 <br>
:00401511 8B07
mov eax, dword ptr [edi] <br>
:00401513 803836
cmp byte ptr [eax], 36 <br>
:00401516 751E
jne 00401536 <br>
:00401518 80780132
cmp byte ptr [eax+01], 32 <br>
:0040151C 7518
jne 00401536 <br>
:0040151E 80780238
cmp byte ptr [eax+02], 38 <br>
:00401522 7512
jne 00401536 <br>
:00401524 80780337
cmp byte ptr [eax+03], 37 <br>
:00401528 750C
jne 00401536 <br>
:0040152A 8078042D
cmp byte ptr [eax+04], 2D <br>
:0040152E 7506
jne 00401536 <br>
:00401530 80780541
cmp byte ptr [eax+05], 41 <br>
:00401534 7417
je 0040154D <br>
<br>
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
<br>
|:004014E4(C), :004014F3(C), :00401516(C), :0040151C(C), :00401522(C)
<br>
|:00401528(C), :0040152E(C) <br>
| <br>
:00401536 6A00
push 00000000 <br>
<br>
* Possible StringData Ref from Data Obj ->"ERROR" <br>
| <br>
:00401538 6864304000
push 00403064 <br>
<br>
* Possible StringData Ref from Data Obj ->"<font color="#FF3333">One
of the Details you entered</font> "//双击停在这儿 <br>
->"was wrong" <br>
| <br>
:0040153D 6838304000
push 00403038 <br>
:00401542 8BCE
mov ecx, esi </p>
<p class="p9">6、上面看明白了吗? <br>
36(hex) = 6 <br>
32(hex) = 2 <br>
38(hex) = 8 <br>
37(hex) = 7 <br>
2D(hex) = - <br>
41(hex) = A <br>
所以序列号: 6287-A ,注意姓名必须 6 个字符以上,且和序列号无关。 <br>
</p>
</td>
</tr>
</table>
<span class="p9"> </span></div>
<div id="KB2Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB2'); return false">
2、习题二答案</a> </span></div>
<div id="KB2Child" class="child"> <span class="p9"> </span>
<table width="100%" cellspacing="0" align="center">
<tr bgcolor="#EFEFEF">
<td>
<p class="p9">1、工具:W32DASM,Hiew;</p>
<p class="p9">2、运行crackme,输入假序列号,点击OK,出现出错对话框,信息提示"Wrong Code";</p>
<p class="p9">3、离开程序,备份一份,用W32DASM打开crackme反汇编;</p>
<p class="p9">4、一旦完成反汇编 , 点<b><i>串式数据参考(string data reference)</i></b>按钮
, 在列出的字符串列表中找到:"Wrong Code"并双击它;</p>
<p class="p9">5、关闭这个窗口回到主窗口 , 你应该能够看到下面这一行 : </p>
<p class="p9">* Referenced by a (U)nconditional or (C)onditional Jump
at Address: <br>
|:<font color="#FF3333">00441806<font color="#000000">(</font></font><font color="#000000">C)//注意这里引用的地址</font>
<br>
| <br>
:00441822 6A10
push 00000010 <br>
<br>
* Possible StringData Ref from Code Obj ->"Error" <br>
| <br>
:00441824 B984184400
mov ecx, 00441884 <br>
<br>
* Possible StringData Ref from Code Obj ->"<font color="#FF3333">Wrong
Code</font>"//双击来到这里 <br>
| <br>
:00441829 BA8C184400
mov edx, 0044188C </p>
<p class="p9">6、现在你必须从这行起向上找 , 直到找到有这样的命令为止 :cmp,jne,je,test 等等 . </p>
<p class="p9">:004417F8 E8FBFEFFFF
call 004416F8 <br>
:004417FD 8B55F8
mov edx, dword ptr [ebp-08] <br>
:00441800 58
pop eax <br>
:00441801 E83E23FCFF
call 00403B44 <br>
:00441806 751A
jne <font color="#FF3333">00441822</font>//如不则注册成功 </p>
<p class="p9">7、 现在你应该知道当你输入一个错误注册码时程序将跳到哪里运行了 . 现在可以想一想如果将上面那条 jne 命令换成
je, 会发生什么 ? 将绿色的光条移到:00441806 751A jne <font color="#FF3333">00441822</font>
上 , 在窗口底部有一行字指示这句 命令的偏移地址 , 此处为 @Offset 00040c06h. 这就是应该修改的地方了.</p>
<p class="p9">8、启动hiew,打开crackme, 按 F4 然后选择 decode mode, 按 F5 输入40c06.
你应该看到下面这几行 : </p>
<p class="p9">⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -